Wildcards ?
658 views
Skip to first unread message
Martin Gluckman
Jun 28, 2022, 5:24:18 PM6/28/22
to Wazuh mailing list
Greetings,
We are trying to filter out DWM-* in a field but the wildcards are not working.
This is in the Elastic reporting section of Wazuh (Open Distro), in Wazuh we go to OpenDistro for Elastic Search and then Reporting.
Thank you so much!
Martin
Jose Camargo
Jun 28, 2022, 6:50:20 PM6/28/22
to Wazuh mailing list
Hi Martin, hope you are well
Thank you for using Wazuh.
When you are searching for specific content inside alerts, you can use Lucene Query Syntax as explained in this blog: https://wazuh.com/blog/searching-for-alerts-using-the-wazuh-app-for-kibana/
For this particular example, you can use the search bar to set it like this:
NOT data.win.eventdata: DWM*
For this particular example, you can use the search bar to set it like this:
NOT data.win.eventdata: DWM*
Please be aware of not using the "-" character as it might affect the query's syntax.
This same result can be achieved using the filter option, as you did in the example you attached, but again the "-" character should not be used.
Please let me know if this was useful for you. I'll be glad to help if you have any issues.
Regards,
Jose
Reply all
Reply to author
Forward
0 new messages